<http://www.phpx.org> PHPX is a constantly evolving and changing Content
Management System (CMS). PHPX is highly customizable and high-powered all
in one system. PHPX provides content management combined with the power of
a portal by including in the core package modules such as FAQ, polls, and
forums.

Cross-site Scripting
PHPX uses a function in the includes/functions.inc.php file that strips
out bad stuff from the URI. The function is called checkURI(). The
function is not written properly and does not do a good job of sanitizing
the input received. Taking a closer look:

It is clearly evident that only a few special characters are filtered out
and no special care is taken when the characters are encoded in a
different encoding scheme. Examples of such encoded URLs are presented
below:
forums.php?forum_id=[VID]&limit=25%3Ciframe%3E
forums.php?forum_id=[VID]&topic_id=[VID]&limit=15%3Ciframe%3E
users.php?action=&limit=100%3Ciframe%3E
users.php?action=view&user_id=[VID]%3E%3Ciframe%3E
forums.php?action=post&forum_id=[VID]%3E%3Ciframe%3E
forums.php?action=search&search_id=[VID]&limit=25%3E%3Ciframe%3E
users.php?action=email&user_id=%3E%3Ciframe%3E
users.php?action=view&user_id=[VID]%3E%3Ciframe%3E
forums.php?forum_id=[VID]%3E%3Ciframe%3E
forums.php?forum_id=[VID]&topic_id=[VID]&limit=%3E%3Ciframe%3E
forums.php?action=post&forum_id=[VID]&topic_id=[VID]%3E%3Ciframe%3E
news.php?news_id=[VID]%3E%3Ciframe%3E
forums.php?forum_id=[VID]&topic_id=[VID]%3E%3Ciframe%3E

Where VID is should be a valid id of some sorts depending on the function
that is called. Yet, other XSS attacks are possible and the list provided
is by no means complete.

Path Disclosure
It is possible for an attacker to learn the full physical path of the PHPX
installation. This can be accomplished by sending a null or invalid value
to several instances of the $limit variable.

For example:
forums.php?action=search&search_id=[VID]&limit=

The result would be a MySQL_fetch_row() error that would reveal the full
path to the PHPX installation.

Arbitrary Command Execution
Since there is neither session ID nor any type of key for validation of
session commands, all an attacker has to do is send an admin a private
message or make a malicious post with the desired command and the command
will silently execute.

If any one of these commands were placed in an image tag an attacker could
delete users, news items, pages, images, polls, word censors, flags, xcode
and probably more.

Quoting JeiAr:
"In the past I have seen phpBB for example deal with the same issue of
using unsafe GET requests by limiting the bbcode to only allow images with
a valid extension. However this is a bad idea because it does not solve
the problem at all, and to this day all phpBB versions are vulnerable to
having arbitrary posts deleted and more just by visiting a malicious web
page or link. It is a serious issue and should be treated as such. It
greatly impacts the security of a web application. Even using the POST
method without an auth key or the like is a bad idea."

Vendor Status:
The lead developer of the project was first informed over a month ago. The
features have been addressed and a new more secure auth_key schema has
been added in order to validate actions. Upgrade to version 3.3.0.

ADDITIONAL INFORMATION

The information has been provided by <mailto:security@gulftech.org>
JeiAr.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.